Depending on the money you have you could go for something like www.akamai.com. There are also some techniques you can implement but these are normally costly or inefficient.
–
LukeJenxOct 24 '12 at 15:00

2 Answers
2

To avoid downtime during DDoS running single server, you can make sure that your operating system remains stable during DDoS, so when the attack is gone, it continues to work. This can be accomplished the following way:

Setup IPTABLES with rate limit

Add Varnish proxy and configure it to deny attacks, it's stable and very resilient and has some modules to support it.

Enable syncookies

Use latest Linux kernel

This is very difficult thing to do and not straight forward, that's why the answer is a bit vague, and hardly you will get anything else.

In essence, you should make sure that flood is not reaching your application level causing server to choke, but instead dropping connections.

Using rate limiting in iptables can cause a significant slowdown in the service - and you'll need to extend the bucket size. Yes, it's better than nothing - but it has side effects.
–
symcbeanOct 24 '12 at 15:42

Add Varnish proxy and configure it to deny attacks Can you explain how to do it?
–
Rana PrathapJul 24 '14 at 10:25

I have a varnish installation in place, but still suffers from dos.
–
Rana PrathapJul 24 '14 at 10:33

The best way to protect against a DDOS is to have the capacity to service all the requests - but that may mean significant expenditure on hardware and bandwidth. OTOH a bit of tuning goes a long way to improving capacity and performance - which benefits your legitimate user and your business too.

Event based servers can handle large number of connections much more gracefully than pre-fork or thread based servers - you don't say what you're architecture looks like / what software you are using. Hence running nginx / lighttpd / varnish / ATS can give you a lot more capacity.

Using a CDN may help if your content is cacheable.

If the DDOS is soaking up CPU / memory then running a caching reverse-proxy will help if the DDOS targets cacheable content. It's not going to help if the content is not cacheable / targets locking problems / fills up your network bandwidth.

Assuming you want to maintain the service during a DDOS then that means being able to differentiate between legitimate traffic and DOS traffic. Make sure your webserver is already logging user agent and essential cookies.

If you can run some application logic on the front-end device then you have the opportunity to apply some code to capture and differentiate between legitimate and DOS traffic - you can start looking at URLs, cookies, IP address information, user agents etc.

If you've got problems with non-cacheable content then you can start redirecting requests to a cacheable page where you require some user intervention to un-gate access to the real site (e.g. by requiring the user to click on a link to set a cookie)

you can apply profiling the requests and feed the results into, say, fail2ban (you might want to google for a smarter guide than this one - which covers in general terms how to set it up - but doesn't do a very good job of explaining how to detect the attack and selectively pass the information on to fail2ban). But note that adding entries in the rules chain for iptables can have a significant impact on performance.

If your userbase follows a well defined geography, then using the geoip module with iptables will help - but it'll need a bit of work to configure switchnig between open-access and restricted access modes of operation.

we are running several e-Commerce websites

Implies SSL - so there's a significant risk of CPU starvation. I'll probably get flamed for this - but beware of the PFS cipher suites - they are rather expensive (the most recent ones in openSSL are a lot better). There's some good stuff on protecting SSL against DOS here.

Hopefully you're not running Magento / Wordpress!

Ideally you want to be able to block the traffic before it even gets to your server - speak to your hosting provider / upstream network provider to see what they can do to help you.